YELLOW BALLOON CITY BUS Co., Ltd. (hereinafter referred to as the "Company") complies with the 「Personal Information Protection Act」 and related laws and regulations to protect the freedom and rights of data subjects, lawfully processing and securely managing personal information. In accordance with Article 30 of the 「Personal Information Protection Act」, the Company hereby establishes and discloses the privacy policy to guide data subjects on the procedures and standards for personal information processing and to promptly and smoothly handle related complaints.

This privacy policy will be effective from March 26, 2024.

Article 1 (Purpose and Items of Personal Information Collection and Use)

1. The Company processes personal information for the following purposes. The personal information processed will not be used for purposes other than the following, and if the purpose of use is changed, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the 「Personal Information Protection Act」.
   1. Website Membership Registration

      Purpose and Items of Personal Information Collection and Use

      Service	Purpose of Collection and Use	Items of Collection and Use
      Registration via email	Website membership registration and management, duplicate registration checking, membership service provision	Required	Identity verification information (CI, mobile phone number, date of birth), ID (e-mail), password, name (Korean/English), mobile phone number, date of birth, gender
      Registration via SNS account	User identification, statistics, account linkage, and CS support	Required	Naver User ID, e-mail Kakao Identity verification information (encrypted CI, name, date of birth, mobile phone number, gender), age group, membership number, Kakao account (e-mail) Apple Apple ID (email), name If the user agrees, the information will be provided by SNS.

   2. Product Consultation, Reservation, and Service Provision

      Purpose and Items of Personal Information Collection and Use

      Service	Purpose of Collection and Use	Items of Collection and Use
      Reservation of Yellow Balloon City Bus products	Consultation and reservation of Yellow Balloon City Bus products, customer management	Required	Name, mobile phone number, password, e-mail (for multilingual services)
      Payment / Settlement / Refund	Payment, settlement, and refund of Yellow Balloon City Bus products	Required	Name (Korean), date of birth, card information (card number, expiration date, first 2 digits of password) Required items to be collected additionally for each service - when requesting a refund: Bank name, account number, account holder
      Cash receipt	Issuance of cash receipts	Required	- For income deduction: mobile phone number, cash receipt card number - For proof of expenditure: mobile phone number, business registration number

   3. Others

      Purpose and Items of Personal Information Collection and Use

      Service	Purpose of collection and use	Items of Collection and Use
      Reservation confirmation for non-members	Product reservation inquiry by non-members	Required	Name (Korean/English), mobile phone number, password, e-mail (for multilingual services)
      Customized service & marketing	Utilization of marketing (analysis of service use, provision of personalized product/service benefit information, transmission of advertising information such as promotions and events)	Optional	Name, date of birth, gender, e-mail, mobile phone number, home phone, home address, occupation, marital status, wedding anniversary, country
      Automatically collected and generated information according to the use of the service	Identity verification and service use statistics, prevention of fraudulent use, provision of customized service and marketing information	Auto-generation	Access IP information, cookies, access logs, mobile device information (operating system and version, device identification information), payment records
      Privacy Request for Correction/Access/Deletion	Identity verification of the principal and agent	Required	ID (e-mail), name, mobile phone number, copy of ID card (resident registration number masking) Required items to be collected additionally -when applying for an agent: Power of attorney, certificate of relationship (certificate of family relationship, certificate of death)

Article 2 (Processing and Retention Period of Personal Information)

1. The Company processes and retains personal information within the period of retention and use of personal information as required by law or agreed upon when collecting personal information from the data subject.
2. The processing and retention periods for each category of personal information are as follows:
   1. Website membership registration: to be retained until completion of membership withdrawal (However, optional information will be retained until withdrawal of consent for receiving communications and completion of membership withdrawal).
   2. Product consultation and reservation: to be retained until the provision of service and according to retention periods required by relevant laws and regulations.
   3. Provision of product services: to be retained up to 5 years.

      Processing and Retention Period of Personal Information

      Basis for Retention (applicable law)	Items of Retention	Retention Period
      Act on the Consumer Protection in Electronic Commerce, etc.	Records on withdrawal of contract or subscription, etc.	5 years
      	Records on payment and supply of goods, etc.	5 years
      	Records of consumer complaints or dispute settlement	3 years
      	Records on labelling & advertisements	6 months

   4. Quotation inquiry: to be retained for 3 months after processing completion.
   5. Satisfaction survey: to be retained for 2 months after survey completion (However, in the case of a member, to be retained until completion of membership withdrawal).
   6. Satisfaction survey prize draw: to be destroyed immediately after winner selection (However, winner information will be retained for a maximum of 1 year).
   7. Customized service and marketing: to be retained until withdrawal of consent for receiving communications and completion of membership withdrawal.
   8. Application for correction/access/deletion of personal information: to be retained for 3 years from the application date.
   9. Computer communication, internet log records, access location tracking data: to be retained for 3 months (based on the Protection of Communications Secrets Act).
3. However, in the following cases, the information shall be retained until the end of the relevant reason:
   1. In case of investigation or inquiry due to violation of related laws and regulations: to be retained until the end of the investigation or inquiry.
   2. In case of remaining rights and obligations related to service use: to be retained until settlement of relevant rights and obligations.
   3. In case of provision of goods or services: to be retained until completion of supply of goods or services and payment settlement.

Article 3 (Provision of Personal Information to Third Parties)

1. The Company processes the personal information of the data subject within the scope specified for the purpose of processing personal information, and provides personal information to third parties only within the scope specified in Articles 17 and 18 of the 「Personal Information Protection Act」, such as consent of the data subject or special provisions of the law.
2. The Company may provide personal information to business partners for smooth service provision, obtaining consent from the data subject and providing only the necessary minimum information.

   Provision of Personal Information to Third Parties

   Recipient	Purpose of Use	Items Provided	Period of Retention and Use	Cross-border transfer or not	Grounds
   Naver	Reservation confirmation and accumulation of event points	Naver user's unique identifier, last 4 digits of mobile phone number, product reservation information	Until the purpose of use is achieved.	Cross-border transfers	Consent of the data subject
   Kakao	Reservation confirmation and cancellation, information on event, etc.	Mobile phone number	Until the purpose of use is achieved.	Cross-border transfers

3. In the event of emergencies such as disasters, infectious diseases, incidents or accidents causing urgent life or bodily risks, urgent property losses, etc., the Company may provide personal information to relevant agencies without the consent of the data subject.

   Provide personal information in the event of an emergency

   Category	Legal Basis	Recipient	Items Provided
   Disaster response	Disaster Safety Act	Central Countermeasures Headquarters or Regional Countermeasures Headquarters	Name, resident registration number, address and telephone number (including mobile phone number) The following information for identification of travel routes and search and rescue a. Information collected through CCTV; b. Specification of use of transportation cards; c. Date and time of use of credit cards, debit cards, and prepaid cards, and places of use; and d. The name and phone number of the medical institution on the prescription, and the date and time of the consultation on the medical record
   Prevention and control of infectious diseases	Infectious Diseases Control and Prevention Act	Korea Disease Control and Prevention Agency or cities and provinces nationwide	Name, resident registration number, address, and telephone number (including mobile phone number) Prescriptions and medical records in accordance with the 「Medical Care Act」 Immigration records for the period determined by the Commissioner of the Korea Disease Control and Prevention Agency The following information for identification of travel routes a. Specifications of use of credit cards, debit cards, and prepaid cards in accordance with the 「Specialized Credit Finance Business Act」; b. Specifications for the use of transportation cards in accordance with the 「Act on the Support and Promotion of Use of Public Transportation」; and c. Image information collected through other image information processing devices in accordance with the 「Personal Information Protection Act」
   Protecting people at risk of suicide	Act on the Prevention of Suicide and the Creation of Culture of Respect for Life	Police Stations Coast Guard Fire Stations	Name, resident registration number (date of birth if there is no resident registration number), address and telephone number (including mobile phone number), ID, e-mail address, and personal location information of the person receiving emergency assistance, etc.
   Processing of personal information of persons involved in crimes such as abduction and confinement	Personal Information Protection Act	Police Stations	CCTV and other video information

4. In such cases, the Company will provide only the minimum necessary personal information based on applicable laws and regulations, and will not provide information for purposes other than those specified.

Article 4 (Entrustment of Processing of Personal Information)

1. The Company entrusts personal information processing work for smooth operation as follows:

   Entrustment of Processing of Personal Information

   Entrusted Agency	Entrusted Work	Period of Retention and Use
   KG INICIS Co., Ltd.	Payment processing services, identity verification services	Until withdrawal of membership and termination of the entrustment contract
   Toss Payments Co., Ltd.	Payment processing services
   Kakao Enterprise Corp.	Smart message service (KakaoTalk, Alert Talk/Friend Talk, SMS/LMS/MMS delivery)
   NINETREE Co., Ltd.	Website operation and maintenance

2. When entering into entrustment contracts, the Company specifies in documents such as contracts the prohibition of personal information processing beyond the purpose of entrustment, technical and managerial protective measures, restrictions on re-entrustment, management and supervision of entrusted agencies, and liabilities including compensation for damages, and supervises whether the entrusted agencies handle personal information safely according to Article 26 of the 「Personal Information Protection Act」.
3. In case of changes in the content of entrusted work or agencies, the Company will promptly disclose it through this privacy policy.

Article 5 (Transfer of Personal Information Overseas)

For the purpose of service provision and convenient service use by users, the Company transmits or manages users' information overseas as follows. If you wish to refuse the transfer of personal information overseas during the use of the service, please contact the responsible department at tbus@ybtour.co.kr. However, refusal to transfer overseas may result in service restrictions.

The details of the Company's transfer of personal information overseas are as follows:
AWS only performs the physical management of the server and does not have access to the personal information of users.

Article 6 (Procedure and Method of Personal Information Destruction)

1. The Company promptly destroys personal information when it becomes unnecessary due to the expiration of the retention period or the achievement of the processing purpose, etc.
2. If personal information must be retained according to other laws despite the expiration of the agreed-upon retention period from the data subject or the achievement of the processing purpose, the Company transfers the personal information to a separate database(DB) or retains it in a different location.
3. The procedure and method of personal information destruction are as follows:
   1. Destruction Procedure: The Company selects personal information for destruction when the reason for destruction arises and obtains approval from the Company's data protection officer to proceed with the destruction.
   2. Destruction Method: Personal information recorded or stored in electronic file format is irreversibly destroyed to prevent retrieval, while personal information recorded or stored on paper documents is shredded or incinerated.

Article 7 (Rights and Obligations of Information Subjects and Legal Representatives, and Methods of Exercising Rights)

1. Data subjects have the right to request access, correction, deletion, or suspension of processing of their personal information from the Company at any time.
2. Rights can be exercised by written request, electronic mail, facsimile transmission (FAX), etc., to the Company in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will promptly take action.
3. Rights may also be exercised through legal representatives or delegated agents of the data subject. In such cases, a power of attorney according to Annexed Form No. 11 of the "Guidelines for Personal Information Processing Methods" must be submitted.
4. The right of the data subject to request access and suspension of processing their personal information may be restricted according to Article 35(4) and Article 37(2) of the 「Personal Information Protection Act」.
5. Requests for correction and deletion of personal information cannot be made if the collection of such information is explicitly specified by other laws.
6. The Company verifies whether the requester of access, correction, deletion, or suspension of processing of personal information is the data subject or a legitimate representative.
7. Membership registration is only available to those aged 14 and above, and personal information of children under 14, who require the consent of a legal representative for the collection and use of personal information, is not collected, in principle.

Article 8 (Measures for Ensuring the Security of Personal Information)

1. The Company takes the following measures to ensure the security of personal information:
   1. Administrative Measures
      a. The Company designates specific employees to handle personal information and implements measures to manage personal information by restricting access to authorized personnel.
      b. Regular education on personal information protection is provided to personnel handling personal information.
      c. Internal management plans are established and implemented to ensure the secure handling of personal information.
   2. Technical Measures
      a. Personal information and passwords of users are encrypted for storage and management, ensuring that only the individual can access them. Important data is encrypted or locked using separate security features for files and transmitted data..
      b. Access records to personal information processing systems are stored and managed for a minimum of 2 years.
      c. Necessary measures are taken to control access to personal information by granting, modifying, and revoking access rights to databases handling personal information. Additionally, unauthorized access from external sources is controlled through the use of intrusion prevention systems.
      d. Security programs are installed, regularly updated, and checked to prevent leakage or damage of personal information due to hacking or computer viruses. Systems are installed in restricted access areas and technically/physically monitored and blocked from external access.
   3. Physical Measures
      a. Documents and auxiliary storage media, etc. containing personal information are stored in secure locations with locking devices.
      b. Separate physical storage locations for personal information are established and access controls are established and operated for them.
2. The company implements activities beyond what is stipulated by law, such as self-regulatory activities (regular improvement activities through voluntary inspections of personal information protection using the Personal Information Protection Portal), to ensure the security of personal information.

Article 9 (Installation, Operation, and Refusal Method of Automatic Personal Information Collection Devices)

1. The Company uses 'cookies' to store and retrieve usage information periodically to provide personalized services to users.
2. Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may be stored on the user's PC hard drive.
   1. Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may be stored on the user's PC hard drive.
   2. Users have the option to install, operate, or refuse cookies and can reject all cookie storage by configuring their web browser options.
      a. Internet Explorer: Top right of the web browser > Internet Options > Privacy > Advanced > Cookie Blocking Settings
      b. Microsoft Edge: Top right of the web browser > Settings > Cookies and Site Permissions > Select level under "Cookies and Stored Data"
      c. Chrome: Top right of the web browser > Settings > Privacy and Security > Cookies and Other Site Data > Select level under the "Cookies" section
   3. Refusing cookie storage may cause difficulties in using customized services and may affect the use of some services such as automatic website login.

Article 10 (Collection, Use, and Rejection of Behavioral Information)

1. The Company collects and utilizes behavioral information during the service usage process to provide optimized personalized services, benefits, and online customized advertisements to the data subjects.
2. The Company collects behavioral information as follows:

   Collection, Use, and Rejection of Behavioral Information

   Collection Methods	Purpose of Collection and Use	Items to be collected	Period of Retention and Use
   Automatically collected when users visit the website	Usage statistics and analysis, Provision of personalized product recommendation services (including advertisements) based on users' interests and tendencies	User's website visit history, service use history, search history, purchase (payment) history, advertising identifier	To be stored for 6 months from the date of collection

3. The Company only collects the minimum necessary behavioral information required for customized online advertisements. It does not collect sensitive behavioral information that may clearly infringe upon an individual's rights, interests, or privacy, such as thoughts, beliefs, family and kinship relationships, education, medical history, or other social activity records.
4. The Company does not collect behavioral information for personalized advertising purposes from online services with users known to be under 14 years of age or from online services primarily used by children under 14 years of age. Personal information of children under 14 is not collected as a general principle.
5. Data subjects can block or allow customized online advertisements all at once by changing cookie settings in web browsers. However, changing cookie settings may affect the use of some services such as automatic website login.

   Blocking/Allowing Customized Advertisements via Web Browser
   a. Internet Explorer: Top right of the web browser > Internet Options > Privacy > Advanced > Select Cookie Blocking or Allowing
   b. Microsoft Edge: Top right of the web browser > Settings > Privacy, Search, and Services > "Tracking prevention" section > Select whether to block and the level of “Tracking Prevention” Choose whether to always use "Strict" tracking prevention when searching with InPrivate > "Privacy" section > Choose whether to send "Do Not Track" requests.
   c. Chrome: Top right of the web browser > Settings > Privacy and Security > Cookies and Other Site Data > "Cookies" section > Choose whether to block third-party cookies and site data

6. Data subjects can contact the following contact point for inquiries, exercising the right to reject, filing complaints related to behavioral information.
   • Personal Information Protection Department

     Department

     Operations Team

     Contact

     (Phone) +82-2-2263-9002 / (Email) tbus@ybtour.co.kr

Article 11 (Linked Sites)

1. The Company may provide links to websites or materials of other companies to users. In this case, the Company does not have any control over external sites and materials, so it does not take responsibility for the truthfulness, usefulness, etc., of services or materials provided on the external websites, nor does it provide any guarantees.
2. The Company's personal information processing policy does not apply to linked sites other than the Company's official site. When clicking on links contained on the Company's website to navigate pages of other companies' websites, users should verify the policies of the visited sites.

Article 12 (Rights and Obligations of Users)

1. Users have the right to have their personal information protected and bear the obligation to refrain from infringing upon the information of others, such as through posts, as well as protect their own personal information. If users fail to fulfill their obligations and damages the information of others, they may be subject to punishment under the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.」.
2. The Company shall not be held responsible for issues arising from the user's negligence, such as sharing their ID and password or leaving their account logged in unattended. It is recommended that users securely manage their IDs and passwords and regularly change their passwords to protect their personal information.
3. Users are responsible for maintaining their personal information up to date, and any issues arising from incorrect information input are the responsibility of the user. If false information is used, such as unauthorized use of others' information, users may lose their membership status, face service restrictions, and be subject to punishment under relevant laws.

Article 13 (Personal Information Protection Manager and Request for Access to Personal Information)

1. The Company appoints a personal information protection manager who is responsible for overseeing personal information processing and handling complaints and remedies related to personal information processing.

   Personal Information Protection Manager

   Category	Name	Contact
   Personal Information Protection Manager	Job Title : General Manager Name : Hong Joon-pyo	Phone: +82-2-2263-9002 Email address: tbus@ybtour.co.kr

2. Data subjects may request access to their personal information through the personal information protection manager in accordance with Article 35 of the 「Personal Information Protection Act」. The Company will strive to promptly process data subject's requests for access to personal information.
3. Data subjects may inquire about all matters related to personal information protection, complaint handling, and damage relief arising from the use of the Company's services through the personal information protection manager. The Company will promptly respond to and handle data subject's inquiries.

Article 14 (Remedies for Violation of Data Subject's Rights)

1. Data subjects may seek remedy for personal information infringement by applying for dispute resolution or counseling to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet & Security Agency, etc. For other reports or inquiries regarding personal information infringement, please contact the following institutions:
   1. Personal Information Dispute Mediation Committee: +82-1833-6972 (www.kopico.go.kr)
   2. Personal Information Infringement Reporting Center: +82-118 (privacy.kisa.or.kr)
   3. Supreme Prosecutors' Office: +82-1301 (www.spo.go.kr)
   4. National Police Agency: +82-182 (ecrm.cyber.go.kr)
2. The company ensures the data subject's right to self-determination of personal information and strives to provide consultation and remedy for personal information breaches. If reporting or consultation is necessary, please contact the responsible department below:
   • Customer Counseling and Reporting for Personal Information Protection

     Department

     Operations Team / General Manager: Hong Joon-pyo

     Contact

     (Phone) +82-2-2263-9002 / (Email) tbus@ybtour.co.kr

3. In accordance with the provisions of Article 35 (Access to Personal Information), Article 36 (Correction or Erasure of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of the 「Personal Information Protection Act」, individuals who have suffered infringement of rights or interests caused by disposition or omission of public power by a public authority may file administrative appeals in accordance with the Administrative Appeals Act.

   Central Administrative Appeals Commission: +82-110 (www.simpan.go.kr)

Article 15 (Operation and Management of Video Information Processing Devices)

The Company operates and manages video information processing devices for the purpose of facility safety, fire prevention, crime prevention, and prevention of vehicle theft and damage in accordance with Article 25(1) of the 「Personal Information Protection Act」. For more details, please refer to the "Policy for Operation and Management of Video Information Processing Devices."

Article 16 (Changes to Privacy Policy)

1. In the event that the Company changes this Privacy Policy, it will specify the reason for the change and the effective date, and notify users on the service screen before the effective date. However, if there are significant changes affecting the rights or obligations of users, it will be notified through the "Notice" section on the website or mobile app.
2. This Privacy Policy shall be effective from March 26, 2024.